diff --git a/oas_docs/output/kibana.serverless.staging.yaml b/oas_docs/output/kibana.serverless.staging.yaml index b669d67aaab60..a7ab200940aef 100644 --- a/oas_docs/output/kibana.serverless.staging.yaml +++ b/oas_docs/output/kibana.serverless.staging.yaml @@ -23492,10 +23492,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: @@ -23585,6 +23581,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23709,6 +23709,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23830,6 +23834,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23934,6 +23942,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24068,6 +24080,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24192,6 +24208,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24237,10 +24257,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_EsqlRulePatchProps: allOf: - type: object @@ -24311,6 +24327,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24437,6 +24457,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24676,6 +24700,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24803,6 +24831,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24930,6 +24962,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25053,6 +25089,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25166,6 +25206,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25295,6 +25339,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25352,10 +25400,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object @@ -25440,6 +25484,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25571,6 +25619,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25805,6 +25857,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25931,6 +25987,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25989,10 +26049,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: @@ -26072,6 +26128,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -26195,6 +26255,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -26904,6 +26968,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27033,6 +27101,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27092,10 +27164,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object @@ -27176,6 +27244,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27302,6 +27374,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27552,6 +27628,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27681,6 +27761,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27836,6 +27920,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27971,6 +28059,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28171,6 +28263,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28300,6 +28396,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28442,6 +28542,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28571,6 +28675,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: diff --git a/oas_docs/output/kibana.serverless.yaml b/oas_docs/output/kibana.serverless.yaml index b669d67aaab60..a7ab200940aef 100644 --- a/oas_docs/output/kibana.serverless.yaml +++ b/oas_docs/output/kibana.serverless.yaml @@ -23492,10 +23492,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: @@ -23585,6 +23581,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23709,6 +23709,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23830,6 +23834,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -23934,6 +23942,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24068,6 +24080,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24192,6 +24208,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24237,10 +24257,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_EsqlRulePatchProps: allOf: - type: object @@ -24311,6 +24327,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24437,6 +24457,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24676,6 +24700,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24803,6 +24831,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -24930,6 +24962,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25053,6 +25089,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25166,6 +25206,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25295,6 +25339,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25352,10 +25400,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object @@ -25440,6 +25484,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25571,6 +25619,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25805,6 +25857,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25931,6 +25987,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -25989,10 +26049,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: @@ -26072,6 +26128,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -26195,6 +26255,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -26904,6 +26968,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27033,6 +27101,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27092,10 +27164,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object @@ -27176,6 +27244,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27302,6 +27374,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27552,6 +27628,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27681,6 +27761,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27836,6 +27920,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -27971,6 +28059,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28171,6 +28263,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28300,6 +28396,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28442,6 +28542,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -28571,6 +28675,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: diff --git a/oas_docs/output/kibana.staging.yaml b/oas_docs/output/kibana.staging.yaml index 4ff23c72b41c8..e4ba9c48a3b46 100644 --- a/oas_docs/output/kibana.staging.yaml +++ b/oas_docs/output/kibana.staging.yaml @@ -31376,10 +31376,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: @@ -31469,6 +31465,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31593,6 +31593,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31714,6 +31718,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31818,6 +31826,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31952,6 +31964,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32076,6 +32092,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32121,10 +32141,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_EsqlRulePatchProps: allOf: - type: object @@ -32195,6 +32211,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32321,6 +32341,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32583,6 +32607,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32710,6 +32738,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32837,6 +32869,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32960,6 +32996,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33171,6 +33211,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33300,6 +33344,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33357,10 +33405,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object @@ -33445,6 +33489,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33576,6 +33624,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33810,6 +33862,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33936,6 +33992,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33994,10 +34054,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: @@ -34077,6 +34133,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -34200,6 +34260,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -34909,6 +34973,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35038,6 +35106,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35097,10 +35169,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object @@ -35181,6 +35249,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35307,6 +35379,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35564,6 +35640,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35693,6 +35773,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35848,6 +35932,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35983,6 +36071,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36183,6 +36275,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36312,6 +36408,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36454,6 +36554,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36583,6 +36687,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: diff --git a/oas_docs/output/kibana.yaml b/oas_docs/output/kibana.yaml index 4ff23c72b41c8..e4ba9c48a3b46 100644 --- a/oas_docs/output/kibana.yaml +++ b/oas_docs/output/kibana.yaml @@ -31376,10 +31376,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/Security_Detections_API_TiebreakerField' timestamp_field: @@ -31469,6 +31465,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31593,6 +31593,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31714,6 +31718,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31818,6 +31826,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -31952,6 +31964,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32076,6 +32092,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32121,10 +32141,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/Security_Detections_API_AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_EsqlRulePatchProps: allOf: - type: object @@ -32195,6 +32211,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32321,6 +32341,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32583,6 +32607,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32710,6 +32738,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32837,6 +32869,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -32960,6 +32996,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33171,6 +33211,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33300,6 +33344,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33357,10 +33405,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_NewTermsRulePatchFields: allOf: - type: object @@ -33445,6 +33489,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33576,6 +33624,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33810,6 +33862,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33936,6 +33992,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -33994,10 +34054,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_RuleFilterArray' index: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array saved_id: $ref: '#/components/schemas/Security_Detections_API_SavedQueryId' Security_Detections_API_QueryRulePatchFields: @@ -34077,6 +34133,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -34200,6 +34260,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -34909,6 +34973,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35038,6 +35106,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35097,10 +35169,6 @@ components: $ref: '#/components/schemas/Security_Detections_API_IndexPatternArray' query: $ref: '#/components/schemas/Security_Detections_API_RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/Security_Detections_API_ResponseAction' - type: array Security_Detections_API_SavedQueryRulePatchFields: allOf: - type: object @@ -35181,6 +35249,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35307,6 +35379,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35564,6 +35640,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35693,6 +35773,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35848,6 +35932,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -35983,6 +36071,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36183,6 +36275,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36312,6 +36408,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36454,6 +36554,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: @@ -36583,6 +36687,10 @@ components: $ref: >- #/components/schemas/Security_Detections_API_RequiredFieldInput type: array + response_actions: + items: + $ref: '#/components/schemas/Security_Detections_API_ResponseAction' + type: array risk_score: $ref: '#/components/schemas/Security_Detections_API_RiskScore' risk_score_mapping: diff --git a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap index 4dc2abbc5f6a8..c283cc1087682 100644 --- a/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap +++ b/x-pack/plugins/alerting/server/integration_tests/__snapshots__/serverless_upgrade_and_rollback_checks.test.ts.snap @@ -5829,6 +5829,175 @@ Object { }, "type": "array", }, + "responseActions": Object { + "items": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".osquery", + "type": "string", + }, + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "const": "isolate", + "type": "string", + }, + "comment": Object { + "type": "string", + }, + }, + "required": Array [ + "command", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + ], + }, + "type": "array", + }, "riskScore": Object { "maximum": 100, "minimum": 0, @@ -6135,204 +6304,35 @@ Object { "query": Object { "type": "string", }, - "responseActions": Object { - "items": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".osquery", - "type": "string", - }, - "params": Object { - "additionalProperties": false, - "properties": Object { - "ecsMapping": Object { - "additionalProperties": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "value": Object { - "anyOf": Array [ - Object { - "type": "string", - }, - Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - ], - }, - }, - "type": "object", - }, - "properties": Object {}, - "type": "object", - }, - "packId": Object { - "type": "string", - }, - "queries": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "ecs_mapping": Object { - "$ref": "#/allOf/1/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", - }, - "id": Object { - "type": "string", - }, - "platform": Object { - "type": "string", - }, - "query": Object { - "type": "string", - }, - "removed": Object { - "type": "boolean", - }, - "snapshot": Object { - "type": "boolean", - }, - "version": Object { - "type": "string", - }, - }, - "required": Array [ - "id", - "query", - ], - "type": "object", - }, - "type": "array", - }, - "query": Object { - "type": "string", - }, - "savedQueryId": Object { - "type": "string", - }, - "timeout": Object { - "type": "number", - }, - }, - "type": "object", - }, - }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".endpoint", - "type": "string", - }, - "params": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "const": "isolate", - "type": "string", - }, - "comment": Object { - "type": "string", - }, - }, - "required": Array [ - "command", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "enum": Array [ - "kill-process", - "suspend-process", - ], - "type": "string", - }, - "comment": Object { - "type": "string", - }, - "config": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "overwrite": Object { - "default": true, - "type": "boolean", - }, - }, - "required": Array [ - "field", - ], - "type": "object", - }, - }, - "required": Array [ - "command", - "config", - ], - "type": "object", - }, - ], - }, - }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", - }, - ], - }, - "type": "array", - }, - "tiebreakerField": Object { - "type": "string", - }, - "timestampField": Object { - "type": "string", - }, - "type": Object { - "const": "eql", - "type": "string", - }, - }, - "required": Array [ - "type", - "language", - "query", - ], - "type": "object", - }, - ], -} -`; - -exports[`Serverless upgrade and rollback checks detect param changes to review for: siem.indicatorRule 1`] = ` -Object { - "$schema": "http://json-schema.org/draft-07/schema#", - "allOf": Array [ - Object { - "properties": Object { - "author": Object { + "tiebreakerField": Object { + "type": "string", + }, + "timestampField": Object { + "type": "string", + }, + "type": Object { + "const": "eql", + "type": "string", + }, + }, + "required": Array [ + "type", + "language", + "query", + ], + "type": "object", + }, + ], +} +`; + +exports[`Serverless upgrade and rollback checks detect param changes to review for: siem.indicatorRule 1`] = ` +Object { + "$schema": "http://json-schema.org/draft-07/schema#", + "allOf": Array [ + Object { + "properties": Object { + "author": Object { "items": Object { "type": "string", }, @@ -6497,34 +6497,203 @@ Object { }, "type": "array", }, - "riskScore": Object { - "maximum": 100, - "minimum": 0, - "type": "integer", - }, - "riskScoreMapping": Object { + "responseActions": Object { "items": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "operator": Object { - "const": "equals", - "type": "string", - }, - "risk_score": Object { - "$ref": "#/allOf/0/properties/riskScore", - }, - "value": Object { - "type": "string", + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".osquery", + "type": "string", + }, + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", }, - }, - "required": Array [ - "field", - "operator", - "value", - ], + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "const": "isolate", + "type": "string", + }, + "comment": Object { + "type": "string", + }, + }, + "required": Array [ + "command", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + ], + }, + "type": "array", + }, + "riskScore": Object { + "maximum": 100, + "minimum": 0, + "type": "integer", + }, + "riskScoreMapping": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "operator": Object { + "const": "equals", + "type": "string", + }, + "risk_score": Object { + "$ref": "#/allOf/0/properties/riskScore", + }, + "value": Object { + "type": "string", + }, + }, + "required": Array [ + "field", + "operator", + "value", + ], "type": "object", }, "type": "array", @@ -7059,483 +7228,172 @@ Object { }, "type": "array", }, - "riskScore": Object { - "maximum": 100, - "minimum": 0, - "type": "integer", - }, - "riskScoreMapping": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "operator": Object { - "const": "equals", - "type": "string", - }, - "risk_score": Object { - "$ref": "#/allOf/0/properties/riskScore", - }, - "value": Object { - "type": "string", - }, - }, - "required": Array [ - "field", - "operator", - "value", - ], - "type": "object", - }, - "type": "array", - }, - "ruleId": Object { - "type": "string", - }, - "ruleNameOverride": Object { - "type": "string", - }, - "ruleSource": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "isCustomized": Object { - "type": "boolean", - }, - "type": Object { - "const": "external", - "type": "string", - }, - }, - "required": Array [ - "type", - "isCustomized", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "type": Object { - "const": "internal", - "type": "string", - }, - }, - "required": Array [ - "type", - ], - "type": "object", - }, - ], - }, - "setup": Object { - "type": "string", - }, - "severity": Object { - "enum": Array [ - "low", - "medium", - "high", - "critical", - ], - "type": "string", - }, - "severityMapping": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "operator": Object { - "const": "equals", - "type": "string", - }, - "severity": Object { - "$ref": "#/allOf/0/properties/severity", - }, - "value": Object { - "type": "string", - }, - }, - "required": Array [ - "field", - "operator", - "severity", - "value", - ], - "type": "object", - }, - "type": "array", - }, - "threat": Object { + "responseActions": Object { "items": Object { - "additionalProperties": false, - "properties": Object { - "framework": Object { - "type": "string", - }, - "tactic": Object { + "anyOf": Array [ + Object { "additionalProperties": false, "properties": Object { - "id": Object { - "type": "string", - }, - "name": Object { - "type": "string", - }, - "reference": Object { + "actionTypeId": Object { + "const": ".osquery", "type": "string", }, - }, - "required": Array [ - "id", - "name", - "reference", - ], - "type": "object", - }, - "technique": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "id": Object { - "type": "string", - }, - "name": Object { - "type": "string", - }, - "reference": Object { - "type": "string", - }, - "subtechnique": Object { - "items": Object { + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { "additionalProperties": false, "properties": Object { - "id": Object { - "type": "string", - }, - "name": Object { + "command": Object { + "const": "isolate", "type": "string", }, - "reference": Object { + "comment": Object { "type": "string", }, }, "required": Array [ - "id", - "name", - "reference", + "command", ], "type": "object", }, - "type": "array", - }, - }, - "required": Array [ - "id", - "name", - "reference", - ], - "type": "object", - }, - "type": "array", - }, - }, - "required": Array [ - "framework", - "tactic", - ], - "type": "object", - }, - "type": "array", - }, - "timelineId": Object { - "type": "string", - }, - "timelineTitle": Object { - "type": "string", - }, - "timestampOverride": Object { - "type": "string", - }, - "timestampOverrideFallbackDisabled": Object { - "type": "boolean", - }, - "to": Object { - "type": "string", - }, - "version": Object { - "minimum": 1, - "type": "integer", - }, - }, - "required": Array [ - "author", - "description", - "falsePositives", - "from", - "ruleId", - "immutable", - "outputIndex", - "maxSignals", - "riskScore", - "riskScoreMapping", - "severity", - "severityMapping", - "threat", - "to", - "references", - "version", - "exceptionsList", - ], - "type": "object", - }, - Object { - "properties": Object { - "alertSuppression": Object { - "additionalProperties": false, - "properties": Object { - "duration": Object { - "additionalProperties": false, - "properties": Object { - "unit": Object { - "enum": Array [ - "s", - "m", - "h", - ], - "type": "string", - }, - "value": Object { - "minimum": 1, - "type": "integer", - }, - }, - "required": Array [ - "value", - "unit", - ], - "type": "object", - }, - "groupBy": Object { - "items": Object { - "type": "string", - }, - "maxItems": 3, - "minItems": 1, - "type": "array", - }, - "missingFieldsStrategy": Object { - "enum": Array [ - "doNotSuppress", - "suppress", - ], - "type": "string", - }, - }, - "required": Array [ - "groupBy", - ], - "type": "object", - }, - "anomalyThreshold": Object { - "minimum": 0, - "type": "integer", - }, - "machineLearningJobId": Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - "type": Object { - "const": "machine_learning", - "type": "string", - }, - }, - "required": Array [ - "type", - "anomalyThreshold", - "machineLearningJobId", - ], - "type": "object", - }, - ], -} -`; - -exports[`Serverless upgrade and rollback checks detect param changes to review for: siem.newTermsRule 1`] = ` -Object { - "$schema": "http://json-schema.org/draft-07/schema#", - "allOf": Array [ - Object { - "properties": Object { - "author": Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - "buildingBlockType": Object { - "type": "string", - }, - "description": Object { - "minLength": 1, - "type": "string", - }, - "exceptionsList": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "id": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - "list_id": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - "namespace_type": Object { - "enum": Array [ - "agnostic", - "single", - ], - "type": "string", - }, - "type": Object { - "enum": Array [ - "detection", - "rule_default", - "endpoint", - "endpoint_trusted_apps", - "endpoint_events", - "endpoint_host_isolation_exceptions", - "endpoint_blocklists", - ], - "type": "string", - }, - }, - "required": Array [ - "id", - "list_id", - "type", - "namespace_type", - ], - "type": "object", - }, - "type": "array", - }, - "falsePositives": Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - "from": Object { - "type": "string", - }, - "immutable": Object { - "type": "boolean", - }, - "investigationFields": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "field_names": Object { - "items": Object { - "minLength": 1, - "pattern": "^(?! *$).+$", - "type": "string", + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], }, - "minItems": 1, - "type": "array", }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", }, - "required": Array [ - "field_names", - ], - "type": "object", - }, - Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - ], - }, - "license": Object { - "type": "string", - }, - "maxSignals": Object { - "minimum": 1, - "type": "integer", - }, - "meta": Object { - "additionalProperties": Object {}, - "properties": Object {}, - "type": "object", - }, - "namespace": Object { - "type": "string", - }, - "note": Object { - "type": "string", - }, - "outputIndex": Object { - "type": "string", - }, - "references": Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - "relatedIntegrations": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "integration": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - "package": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - "version": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - }, - "required": Array [ - "package", - "version", - ], - "type": "object", - }, - "type": "array", - }, - "requiredFields": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "ecs": Object { - "type": "boolean", - }, - "name": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - "type": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", - }, - }, - "required": Array [ - "name", - "type", - "ecs", ], - "type": "object", }, "type": "array", }, @@ -7822,39 +7680,202 @@ Object { ], "type": "object", }, - "dataViewId": Object { + "anomalyThreshold": Object { + "minimum": 0, + "type": "integer", + }, + "machineLearningJobId": Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + "type": Object { + "const": "machine_learning", "type": "string", }, - "filters": Object { - "items": Object {}, + }, + "required": Array [ + "type", + "anomalyThreshold", + "machineLearningJobId", + ], + "type": "object", + }, + ], +} +`; + +exports[`Serverless upgrade and rollback checks detect param changes to review for: siem.newTermsRule 1`] = ` +Object { + "$schema": "http://json-schema.org/draft-07/schema#", + "allOf": Array [ + Object { + "properties": Object { + "author": Object { + "items": Object { + "type": "string", + }, "type": "array", }, - "historyWindowStart": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + "buildingBlockType": Object { + "type": "string", }, - "index": Object { + "description": Object { + "minLength": 1, + "type": "string", + }, + "exceptionsList": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "id": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "list_id": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "namespace_type": Object { + "enum": Array [ + "agnostic", + "single", + ], + "type": "string", + }, + "type": Object { + "enum": Array [ + "detection", + "rule_default", + "endpoint", + "endpoint_trusted_apps", + "endpoint_events", + "endpoint_host_isolation_exceptions", + "endpoint_blocklists", + ], + "type": "string", + }, + }, + "required": Array [ + "id", + "list_id", + "type", + "namespace_type", + ], + "type": "object", + }, + "type": "array", + }, + "falsePositives": Object { "items": Object { "type": "string", }, "type": "array", }, - "language": Object { - "enum": Array [ - "kuery", - "lucene", + "from": Object { + "type": "string", + }, + "immutable": Object { + "type": "boolean", + }, + "investigationFields": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "field_names": Object { + "items": Object { + "minLength": 1, + "pattern": "^(?! *$).+$", + "type": "string", + }, + "minItems": 1, + "type": "array", + }, + }, + "required": Array [ + "field_names", + ], + "type": "object", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, ], + }, + "license": Object { + "type": "string", + }, + "maxSignals": Object { + "minimum": 1, + "type": "integer", + }, + "meta": Object { + "additionalProperties": Object {}, + "properties": Object {}, + "type": "object", + }, + "namespace": Object { + "type": "string", + }, + "note": Object { + "type": "string", + }, + "outputIndex": Object { "type": "string", }, - "newTermsFields": Object { + "references": Object { "items": Object { "type": "string", }, - "maxItems": 3, - "minItems": 1, "type": "array", }, - "query": Object { - "type": "string", + "relatedIntegrations": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "integration": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "package": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "version": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + }, + "required": Array [ + "package", + "version", + ], + "type": "object", + }, + "type": "array", + }, + "requiredFields": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs": Object { + "type": "boolean", + }, + "name": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "type": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + }, + "required": Array [ + "name", + "type", + "ecs", + ], + "type": "object", + }, + "type": "array", }, "responseActions": Object { "items": Object { @@ -7903,7 +7924,7 @@ Object { "additionalProperties": false, "properties": Object { "ecs_mapping": Object { - "$ref": "#/allOf/1/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", }, "id": Object { "type": "string", @@ -8015,16 +8036,333 @@ Object { ], }, }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + ], + }, + "type": "array", + }, + "riskScore": Object { + "maximum": 100, + "minimum": 0, + "type": "integer", + }, + "riskScoreMapping": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "operator": Object { + "const": "equals", + "type": "string", + }, + "risk_score": Object { + "$ref": "#/allOf/0/properties/riskScore", + }, + "value": Object { + "type": "string", + }, + }, + "required": Array [ + "field", + "operator", + "value", + ], + "type": "object", + }, + "type": "array", + }, + "ruleId": Object { + "type": "string", + }, + "ruleNameOverride": Object { + "type": "string", + }, + "ruleSource": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "isCustomized": Object { + "type": "boolean", + }, + "type": Object { + "const": "external", + "type": "string", + }, + }, + "required": Array [ + "type", + "isCustomized", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "type": Object { + "const": "internal", + "type": "string", + }, + }, + "required": Array [ + "type", + ], + "type": "object", + }, + ], + }, + "setup": Object { + "type": "string", + }, + "severity": Object { + "enum": Array [ + "low", + "medium", + "high", + "critical", + ], + "type": "string", + }, + "severityMapping": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "operator": Object { + "const": "equals", + "type": "string", + }, + "severity": Object { + "$ref": "#/allOf/0/properties/severity", + }, + "value": Object { + "type": "string", + }, + }, + "required": Array [ + "field", + "operator", + "severity", + "value", + ], + "type": "object", + }, + "type": "array", + }, + "threat": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "framework": Object { + "type": "string", + }, + "tactic": Object { + "additionalProperties": false, + "properties": Object { + "id": Object { + "type": "string", + }, + "name": Object { + "type": "string", + }, + "reference": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "name", + "reference", + ], + "type": "object", + }, + "technique": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "id": Object { + "type": "string", + }, + "name": Object { + "type": "string", + }, + "reference": Object { + "type": "string", + }, + "subtechnique": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "id": Object { + "type": "string", + }, + "name": Object { + "type": "string", + }, + "reference": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "name", + "reference", + ], + "type": "object", + }, + "type": "array", + }, + }, + "required": Array [ + "id", + "name", + "reference", + ], + "type": "object", + }, + "type": "array", + }, + }, + "required": Array [ + "framework", + "tactic", + ], + "type": "object", + }, + "type": "array", + }, + "timelineId": Object { + "type": "string", + }, + "timelineTitle": Object { + "type": "string", + }, + "timestampOverride": Object { + "type": "string", + }, + "timestampOverrideFallbackDisabled": Object { + "type": "boolean", + }, + "to": Object { + "type": "string", + }, + "version": Object { + "minimum": 1, + "type": "integer", + }, + }, + "required": Array [ + "author", + "description", + "falsePositives", + "from", + "ruleId", + "immutable", + "outputIndex", + "maxSignals", + "riskScore", + "riskScoreMapping", + "severity", + "severityMapping", + "threat", + "to", + "references", + "version", + "exceptionsList", + ], + "type": "object", + }, + Object { + "properties": Object { + "alertSuppression": Object { + "additionalProperties": false, + "properties": Object { + "duration": Object { + "additionalProperties": false, + "properties": Object { + "unit": Object { + "enum": Array [ + "s", + "m", + "h", + ], + "type": "string", + }, + "value": Object { + "minimum": 1, + "type": "integer", + }, }, - ], + "required": Array [ + "value", + "unit", + ], + "type": "object", + }, + "groupBy": Object { + "items": Object { + "type": "string", + }, + "maxItems": 3, + "minItems": 1, + "type": "array", + }, + "missingFieldsStrategy": Object { + "enum": Array [ + "doNotSuppress", + "suppress", + ], + "type": "string", + }, + }, + "required": Array [ + "groupBy", + ], + "type": "object", + }, + "dataViewId": Object { + "type": "string", + }, + "filters": Object { + "items": Object {}, + "type": "array", + }, + "historyWindowStart": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + "index": Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + "language": Object { + "enum": Array [ + "kuery", + "lucene", + ], + "type": "string", + }, + "newTermsFields": Object { + "items": Object { + "type": "string", }, + "maxItems": 3, + "minItems": 1, "type": "array", }, + "query": Object { + "type": "string", + }, "type": Object { "const": "new_terms", "type": "string", @@ -8233,13 +8571,182 @@ Object { "type": Object { "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", }, - }, - "required": Array [ - "name", - "type", - "ecs", + }, + "required": Array [ + "name", + "type", + "ecs", + ], + "type": "object", + }, + "type": "array", + }, + "responseActions": Object { + "items": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".osquery", + "type": "string", + }, + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "const": "isolate", + "type": "string", + }, + "comment": Object { + "type": "string", + }, + }, + "required": Array [ + "command", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, ], - "type": "object", }, "type": "array", }, @@ -8552,175 +9059,6 @@ Object { "query": Object { "type": "string", }, - "responseActions": Object { - "items": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".osquery", - "type": "string", - }, - "params": Object { - "additionalProperties": false, - "properties": Object { - "ecsMapping": Object { - "additionalProperties": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "value": Object { - "anyOf": Array [ - Object { - "type": "string", - }, - Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - ], - }, - }, - "type": "object", - }, - "properties": Object {}, - "type": "object", - }, - "packId": Object { - "type": "string", - }, - "queries": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "ecs_mapping": Object { - "$ref": "#/allOf/1/anyOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", - }, - "id": Object { - "type": "string", - }, - "platform": Object { - "type": "string", - }, - "query": Object { - "type": "string", - }, - "removed": Object { - "type": "boolean", - }, - "snapshot": Object { - "type": "boolean", - }, - "version": Object { - "type": "string", - }, - }, - "required": Array [ - "id", - "query", - ], - "type": "object", - }, - "type": "array", - }, - "query": Object { - "type": "string", - }, - "savedQueryId": Object { - "type": "string", - }, - "timeout": Object { - "type": "number", - }, - }, - "type": "object", - }, - }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".endpoint", - "type": "string", - }, - "params": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "const": "isolate", - "type": "string", - }, - "comment": Object { - "type": "string", - }, - }, - "required": Array [ - "command", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "enum": Array [ - "kill-process", - "suspend-process", - ], - "type": "string", - }, - "comment": Object { - "type": "string", - }, - "config": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "overwrite": Object { - "default": true, - "type": "boolean", - }, - }, - "required": Array [ - "field", - ], - "type": "object", - }, - }, - "required": Array [ - "command", - "config", - ], - "type": "object", - }, - ], - }, - }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", - }, - ], - }, - "type": "array", - }, "savedId": Object { "type": "string", }, @@ -8757,12 +9095,6 @@ Object { "query": Object { "$ref": "#/allOf/1/anyOf/0/properties/query", }, - "responseActions": Object { - "items": Object { - "$ref": "#/allOf/1/anyOf/0/properties/responseActions/items", - }, - "type": "array", - }, "savedId": Object { "$ref": "#/allOf/1/anyOf/0/properties/savedId", }, @@ -8942,16 +9274,185 @@ Object { "name": Object { "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", }, - "type": Object { - "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + "type": Object { + "$ref": "#/allOf/0/properties/investigationFields/anyOf/0/properties/field_names/items", + }, + }, + "required": Array [ + "name", + "type", + "ecs", + ], + "type": "object", + }, + "type": "array", + }, + "responseActions": Object { + "items": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".osquery", + "type": "string", + }, + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "const": "isolate", + "type": "string", + }, + "comment": Object { + "type": "string", + }, + }, + "required": Array [ + "command", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", }, - }, - "required": Array [ - "name", - "type", - "ecs", ], - "type": "object", }, "type": "array", }, @@ -9178,261 +9679,92 @@ Object { "immutable", "outputIndex", "maxSignals", - "riskScore", - "riskScoreMapping", - "severity", - "severityMapping", - "threat", - "to", - "references", - "version", - "exceptionsList", - ], - "type": "object", - }, - Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "alertSuppression": Object { - "additionalProperties": false, - "properties": Object { - "duration": Object { - "additionalProperties": false, - "properties": Object { - "unit": Object { - "enum": Array [ - "s", - "m", - "h", - ], - "type": "string", - }, - "value": Object { - "minimum": 1, - "type": "integer", - }, - }, - "required": Array [ - "value", - "unit", - ], - "type": "object", - }, - "groupBy": Object { - "items": Object { - "type": "string", - }, - "maxItems": 3, - "minItems": 1, - "type": "array", - }, - "missingFieldsStrategy": Object { - "enum": Array [ - "doNotSuppress", - "suppress", - ], - "type": "string", - }, - }, - "required": Array [ - "groupBy", - ], - "type": "object", - }, - "dataViewId": Object { - "type": "string", - }, - "filters": Object { - "items": Object {}, - "type": "array", - }, - "index": Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - "language": Object { - "enum": Array [ - "kuery", - "lucene", - ], - "type": "string", - }, - "query": Object { - "type": "string", - }, - "responseActions": Object { - "items": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".osquery", - "type": "string", - }, - "params": Object { - "additionalProperties": false, - "properties": Object { - "ecsMapping": Object { - "additionalProperties": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "value": Object { - "anyOf": Array [ - Object { - "type": "string", - }, - Object { - "items": Object { - "type": "string", - }, - "type": "array", - }, - ], - }, - }, - "type": "object", - }, - "properties": Object {}, - "type": "object", - }, - "packId": Object { - "type": "string", - }, - "queries": Object { - "items": Object { - "additionalProperties": false, - "properties": Object { - "ecs_mapping": Object { - "$ref": "#/allOf/1/anyOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", - }, - "id": Object { - "type": "string", - }, - "platform": Object { - "type": "string", - }, - "query": Object { - "type": "string", - }, - "removed": Object { - "type": "boolean", - }, - "snapshot": Object { - "type": "boolean", - }, - "version": Object { - "type": "string", - }, - }, - "required": Array [ - "id", - "query", - ], - "type": "object", - }, - "type": "array", - }, - "query": Object { - "type": "string", - }, - "savedQueryId": Object { - "type": "string", - }, - "timeout": Object { - "type": "number", - }, - }, - "type": "object", - }, - }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "actionTypeId": Object { - "const": ".endpoint", - "type": "string", - }, - "params": Object { - "anyOf": Array [ - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "const": "isolate", - "type": "string", - }, - "comment": Object { - "type": "string", - }, - }, - "required": Array [ - "command", - ], - "type": "object", - }, - Object { - "additionalProperties": false, - "properties": Object { - "command": Object { - "enum": Array [ - "kill-process", - "suspend-process", - ], - "type": "string", - }, - "comment": Object { - "type": "string", - }, - "config": Object { - "additionalProperties": false, - "properties": Object { - "field": Object { - "type": "string", - }, - "overwrite": Object { - "default": true, - "type": "boolean", - }, - }, - "required": Array [ - "field", - ], - "type": "object", - }, - }, - "required": Array [ - "command", - "config", - ], - "type": "object", - }, - ], - }, + "riskScore", + "riskScoreMapping", + "severity", + "severityMapping", + "threat", + "to", + "references", + "version", + "exceptionsList", + ], + "type": "object", + }, + Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "alertSuppression": Object { + "additionalProperties": false, + "properties": Object { + "duration": Object { + "additionalProperties": false, + "properties": Object { + "unit": Object { + "enum": Array [ + "s", + "m", + "h", + ], + "type": "string", + }, + "value": Object { + "minimum": 1, + "type": "integer", }, - "required": Array [ - "actionTypeId", - "params", - ], - "type": "object", }, - ], + "required": Array [ + "value", + "unit", + ], + "type": "object", + }, + "groupBy": Object { + "items": Object { + "type": "string", + }, + "maxItems": 3, + "minItems": 1, + "type": "array", + }, + "missingFieldsStrategy": Object { + "enum": Array [ + "doNotSuppress", + "suppress", + ], + "type": "string", + }, + }, + "required": Array [ + "groupBy", + ], + "type": "object", + }, + "dataViewId": Object { + "type": "string", + }, + "filters": Object { + "items": Object {}, + "type": "array", + }, + "index": Object { + "items": Object { + "type": "string", }, "type": "array", }, + "language": Object { + "enum": Array [ + "kuery", + "lucene", + ], + "type": "string", + }, + "query": Object { + "type": "string", + }, "savedId": Object { "type": "string", }, @@ -9469,12 +9801,6 @@ Object { "query": Object { "$ref": "#/allOf/1/anyOf/0/properties/query", }, - "responseActions": Object { - "items": Object { - "$ref": "#/allOf/1/anyOf/0/properties/responseActions/items", - }, - "type": "array", - }, "savedId": Object { "$ref": "#/allOf/1/anyOf/0/properties/savedId", }, @@ -9667,6 +9993,175 @@ Object { }, "type": "array", }, + "responseActions": Object { + "items": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".osquery", + "type": "string", + }, + "params": Object { + "additionalProperties": false, + "properties": Object { + "ecsMapping": Object { + "additionalProperties": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "value": Object { + "anyOf": Array [ + Object { + "type": "string", + }, + Object { + "items": Object { + "type": "string", + }, + "type": "array", + }, + ], + }, + }, + "type": "object", + }, + "properties": Object {}, + "type": "object", + }, + "packId": Object { + "type": "string", + }, + "queries": Object { + "items": Object { + "additionalProperties": false, + "properties": Object { + "ecs_mapping": Object { + "$ref": "#/allOf/0/properties/responseActions/items/anyOf/0/properties/params/properties/ecsMapping", + }, + "id": Object { + "type": "string", + }, + "platform": Object { + "type": "string", + }, + "query": Object { + "type": "string", + }, + "removed": Object { + "type": "boolean", + }, + "snapshot": Object { + "type": "boolean", + }, + "version": Object { + "type": "string", + }, + }, + "required": Array [ + "id", + "query", + ], + "type": "object", + }, + "type": "array", + }, + "query": Object { + "type": "string", + }, + "savedQueryId": Object { + "type": "string", + }, + "timeout": Object { + "type": "number", + }, + }, + "type": "object", + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "actionTypeId": Object { + "const": ".endpoint", + "type": "string", + }, + "params": Object { + "anyOf": Array [ + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "const": "isolate", + "type": "string", + }, + "comment": Object { + "type": "string", + }, + }, + "required": Array [ + "command", + ], + "type": "object", + }, + Object { + "additionalProperties": false, + "properties": Object { + "command": Object { + "enum": Array [ + "kill-process", + "suspend-process", + ], + "type": "string", + }, + "comment": Object { + "type": "string", + }, + "config": Object { + "additionalProperties": false, + "properties": Object { + "field": Object { + "type": "string", + }, + "overwrite": Object { + "default": true, + "type": "boolean", + }, + }, + "required": Array [ + "field", + ], + "type": "object", + }, + }, + "required": Array [ + "command", + "config", + ], + "type": "object", + }, + ], + }, + }, + "required": Array [ + "actionTypeId", + "params", + ], + "type": "object", + }, + ], + }, + "type": "array", + }, "riskScore": Object { "maximum": 100, "minimum": 0, diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts index da4661ae8464c..e15ab0f06e082 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.gen.ts @@ -68,13 +68,13 @@ import { SavedQueryId, KqlQueryLanguage, } from './common_attributes.gen'; +import { ResponseAction } from '../rule_response_actions/response_actions.gen'; import { RuleExecutionSummary } from '../../rule_monitoring/model/execution_summary.gen'; import { EventCategoryOverride, TiebreakerField, TimestampField, } from './specific_attributes/eql_attributes.gen'; -import { ResponseAction } from '../rule_response_actions/response_actions.gen'; import { Threshold, ThresholdAlertSuppression, @@ -117,6 +117,7 @@ export const BaseOptionalFields = z.object({ meta: RuleMetadata.optional(), investigation_fields: InvestigationFields.optional(), throttle: RuleActionThrottle.optional(), + response_actions: z.array(ResponseAction).optional(), }); export type BaseDefaultableFields = z.infer; @@ -224,7 +225,6 @@ export const EqlOptionalFields = z.object({ tiebreaker_field: TiebreakerField.optional(), timestamp_field: TimestampField.optional(), alert_suppression: AlertSuppression.optional(), - response_actions: z.array(ResponseAction).optional(), }); export type EqlRuleCreateFields = z.infer; @@ -262,7 +262,6 @@ export const QueryRuleOptionalFields = z.object({ data_view_id: DataViewId.optional(), filters: RuleFilterArray.optional(), saved_id: SavedQueryId.optional(), - response_actions: z.array(ResponseAction).optional(), alert_suppression: AlertSuppression.optional(), }); @@ -313,7 +312,6 @@ export const SavedQueryRuleOptionalFields = z.object({ index: IndexPatternArray.optional(), data_view_id: DataViewId.optional(), filters: RuleFilterArray.optional(), - response_actions: z.array(ResponseAction).optional(), alert_suppression: AlertSuppression.optional(), query: RuleQuery.optional(), }); @@ -522,7 +520,6 @@ export const NewTermsRuleOptionalFields = z.object({ data_view_id: DataViewId.optional(), filters: RuleFilterArray.optional(), alert_suppression: AlertSuppression.optional(), - response_actions: z.array(ResponseAction).optional(), }); export type NewTermsRuleDefaultableFields = z.infer; @@ -576,7 +573,6 @@ export const EsqlRuleRequiredFields = z.object({ export type EsqlRuleOptionalFields = z.infer; export const EsqlRuleOptionalFields = z.object({ alert_suppression: AlertSuppression.optional(), - response_actions: z.array(ResponseAction).optional(), }); export type EsqlRulePatchFields = z.infer; diff --git a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml index d8aba232c26f9..f362b41ab6e86 100644 --- a/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml +++ b/x-pack/plugins/security_solution/common/api/detection_engine/model/rule_schema/rule_schemas.schema.yaml @@ -74,6 +74,11 @@ components: throttle: $ref: './common_attributes.schema.yaml#/components/schemas/RuleActionThrottle' + response_actions: + type: array + items: + $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' + BaseDefaultableFields: x-inline: true type: object @@ -293,10 +298,6 @@ components: $ref: './specific_attributes/eql_attributes.schema.yaml#/components/schemas/TimestampField' alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' - response_actions: - type: array - items: - $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' EqlRuleCreateFields: allOf: @@ -359,10 +360,6 @@ components: $ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray' saved_id: $ref: './common_attributes.schema.yaml#/components/schemas/SavedQueryId' - response_actions: - type: array - items: - $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' @@ -440,10 +437,6 @@ components: $ref: './common_attributes.schema.yaml#/components/schemas/DataViewId' filters: $ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray' - response_actions: - type: array - items: - $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' query: @@ -767,10 +760,6 @@ components: $ref: './common_attributes.schema.yaml#/components/schemas/RuleFilterArray' alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' - response_actions: - type: array - items: - $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' NewTermsRuleDefaultableFields: type: object @@ -849,10 +838,6 @@ components: properties: alert_suppression: $ref: './common_attributes.schema.yaml#/components/schemas/AlertSuppression' - response_actions: - type: array - items: - $ref: '../rule_response_actions/response_actions.schema.yaml#/components/schemas/ResponseAction' EsqlRulePatchFields: allOf: diff --git a/x-pack/plugins/security_solution/common/detection_engine/utils.ts b/x-pack/plugins/security_solution/common/detection_engine/utils.ts index 5068f35b6be1a..a98ca169a41d7 100644 --- a/x-pack/plugins/security_solution/common/detection_engine/utils.ts +++ b/x-pack/plugins/security_solution/common/detection_engine/utils.ts @@ -93,9 +93,16 @@ export const isSuppressionRuleConfiguredWithMissingFields = (ruleType: Type) => export const isSuppressionRuleInGA = (ruleType: Type): boolean => { return isSuppressibleAlertRule(ruleType) && SUPPRESSIBLE_ALERT_RULES_GA.includes(ruleType); }; - -export const shouldShowResponseActions = (ruleType: Type | undefined) => { +export const shouldShowResponseActions = ( + ruleType: Type | undefined, + automatedResponseActionsForAllRulesEnabled: boolean +) => { return ( - isQueryRule(ruleType) || isEsqlRule(ruleType) || isEqlRule(ruleType) || isNewTermsRule(ruleType) + isQueryRule(ruleType) || + isEsqlRule(ruleType) || + isEqlRule(ruleType) || + isNewTermsRule(ruleType) || + (automatedResponseActionsForAllRulesEnabled && + (isThresholdRule(ruleType) || isThreatMatchRule(ruleType) || isMlRule(ruleType))) ); }; diff --git a/x-pack/plugins/security_solution/common/experimental_features.ts b/x-pack/plugins/security_solution/common/experimental_features.ts index 982b102abd93e..7a90c0ba981c7 100644 --- a/x-pack/plugins/security_solution/common/experimental_features.ts +++ b/x-pack/plugins/security_solution/common/experimental_features.ts @@ -52,6 +52,11 @@ export const allowedExperimentalValues = Object.freeze({ */ automatedProcessActionsEnabled: true, + /** + * Temporary feature flag to enable the Response Actions in Rules UI - intermediate release + */ + automatedResponseActionsForAllRulesEnabled: false, + /** * Enables the ability to send Response actions to SentinelOne and persist the results * in ES. Adds API changes to support `agentType` and supports `isolate` and `release` diff --git a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml index ab7dc87817f50..e1d6399b01d3d 100644 --- a/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/ess/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -2051,10 +2051,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/TiebreakerField' timestamp_field: @@ -2137,6 +2133,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2252,6 +2252,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2364,6 +2368,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2459,6 +2467,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2584,6 +2596,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2699,6 +2715,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2742,10 +2762,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array EsqlRulePatchProps: allOf: - type: object @@ -2809,6 +2825,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2926,6 +2946,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3178,6 +3202,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3293,6 +3321,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3408,6 +3440,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3519,6 +3555,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3720,6 +3760,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3836,6 +3880,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3890,10 +3938,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array NewTermsRulePatchFields: allOf: - type: object @@ -3969,6 +4013,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4089,6 +4137,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4312,6 +4364,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4428,6 +4484,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4484,10 +4544,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array saved_id: $ref: '#/components/schemas/SavedQueryId' QueryRulePatchFields: @@ -4559,6 +4615,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4673,6 +4733,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5359,6 +5423,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5475,6 +5543,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5531,10 +5603,6 @@ components: $ref: '#/components/schemas/IndexPatternArray' query: $ref: '#/components/schemas/RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array SavedQueryRulePatchFields: allOf: - type: object @@ -5606,6 +5674,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5720,6 +5792,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5967,6 +6043,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6083,6 +6163,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6226,6 +6310,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6349,6 +6437,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6538,6 +6630,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6654,6 +6750,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6783,6 +6883,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6900,6 +7004,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: diff --git a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml index 8812ada004771..a18480d8258ea 100644 --- a/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml +++ b/x-pack/plugins/security_solution/docs/openapi/serverless/security_solution_detections_api_2023_10_31.bundled.schema.yaml @@ -1325,10 +1325,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array tiebreaker_field: $ref: '#/components/schemas/TiebreakerField' timestamp_field: @@ -1411,6 +1407,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -1526,6 +1526,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -1638,6 +1642,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -1733,6 +1741,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -1858,6 +1870,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -1973,6 +1989,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2016,10 +2036,6 @@ components: properties: alert_suppression: $ref: '#/components/schemas/AlertSuppression' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array EsqlRulePatchProps: allOf: - type: object @@ -2083,6 +2099,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2200,6 +2220,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2429,6 +2453,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2544,6 +2572,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2659,6 +2691,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2770,6 +2806,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2873,6 +2913,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -2989,6 +3033,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3043,10 +3091,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array NewTermsRulePatchFields: allOf: - type: object @@ -3122,6 +3166,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3242,6 +3290,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3465,6 +3517,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3581,6 +3637,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3637,10 +3697,6 @@ components: $ref: '#/components/schemas/RuleFilterArray' index: $ref: '#/components/schemas/IndexPatternArray' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array saved_id: $ref: '#/components/schemas/SavedQueryId' QueryRulePatchFields: @@ -3712,6 +3768,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -3826,6 +3886,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4512,6 +4576,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4628,6 +4696,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4684,10 +4756,6 @@ components: $ref: '#/components/schemas/IndexPatternArray' query: $ref: '#/components/schemas/RuleQuery' - response_actions: - items: - $ref: '#/components/schemas/ResponseAction' - type: array SavedQueryRulePatchFields: allOf: - type: object @@ -4759,6 +4827,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -4873,6 +4945,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5113,6 +5189,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5229,6 +5309,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5372,6 +5456,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5495,6 +5583,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5684,6 +5776,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5800,6 +5896,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -5929,6 +6029,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: @@ -6046,6 +6150,10 @@ components: items: $ref: '#/components/schemas/RequiredFieldInput' type: array + response_actions: + items: + $ref: '#/components/schemas/ResponseAction' + type: array risk_score: $ref: '#/components/schemas/RiskScore' risk_score_mapping: diff --git a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx index 9e6346cc9040e..06168ce97a2c7 100644 --- a/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx +++ b/x-pack/plugins/security_solution/public/detection_engine/rule_creation/components/step_rule_actions/index.tsx @@ -16,6 +16,7 @@ import type { } from '@kbn/triggers-actions-ui-plugin/public'; import { UseArray } from '@kbn/es-ui-shared-plugin/static/forms/hook_form_lib'; import type { Type } from '@kbn/securitysolution-io-ts-alerting-types'; +import { useIsExperimentalFeatureEnabled } from '../../../../common/hooks/use_experimental_features'; import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils'; import type { RuleObjectId } from '../../../../../common/api/detection_engine/model/rule_schema'; import { ResponseActionsForm } from '../../../rule_response_actions/response_actions_form'; @@ -84,7 +85,9 @@ const StepRuleActionsComponent: FC = ({ const { services: { application }, } = useKibana(); - + const automatedResponseActionsForAllRulesEnabled = useIsExperimentalFeatureEnabled( + 'automatedResponseActionsForAllRulesEnabled' + ); const displayActionsOptions = useMemo( () => ( <> @@ -102,7 +105,7 @@ const StepRuleActionsComponent: FC = ({ [actionMessageParams, summaryActionMessageParams] ); const displayResponseActionsOptions = useMemo(() => { - if (shouldShowResponseActions(ruleType)) { + if (shouldShowResponseActions(ruleType, automatedResponseActionsForAllRulesEnabled)) { return ( {ResponseActionsForm} @@ -110,7 +113,7 @@ const StepRuleActionsComponent: FC = ({ ); } return null; - }, [ruleType]); + }, [automatedResponseActionsForAllRulesEnabled, ruleType]); // only display the actions dropdown if the user has "read" privileges for actions const displayActionsDropDown = useMemo(() => { return application.capabilities.actions.show ? ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.test.ts index 45a561996e0a9..5d963db71cdea 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.test.ts @@ -7,23 +7,10 @@ import { expectParseError, expectParseSuccess, stringifyZodError } from '@kbn/zod-helpers'; import { getListArrayMock } from '../../../../../../common/detection_engine/schemas/types/lists.mock'; -import { PrebuiltRuleAsset, TypeSpecificFields } from './prebuilt_rule_asset'; +import { PrebuiltRuleAsset } from './prebuilt_rule_asset'; import { getPrebuiltRuleMock, getPrebuiltThreatMatchRuleMock } from './prebuilt_rule_asset.mock'; -import { TypeSpecificCreatePropsInternal } from '../../../../../../common/api/detection_engine'; describe('Prebuilt rule asset schema', () => { - it('can be of all rule types that are supported', () => { - // Check that the discriminated union TypeSpecificFields, which is used to create - // the PrebuiltRuleAsset schema, contains all the rule types that are supported. - const createPropsTypes = TypeSpecificCreatePropsInternal.options.map( - (option) => option.shape.type.value - ); - const fieldsTypes = TypeSpecificFields.options.map((option) => option.shape.type.value); - - expect(createPropsTypes).toHaveLength(fieldsTypes.length); - expect(new Set(createPropsTypes)).toEqual(new Set(fieldsTypes)); - }); - test('empty objects do not validate', () => { const payload: Partial = {}; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.ts index 2d7b056f86248..cc7e38632547f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/prebuilt_rules/model/rule_assets/prebuilt_rule_asset.ts @@ -6,20 +6,11 @@ */ import * as z from '@kbn/zod'; -import type { IsEqual } from 'type-fest'; -import type { TypeSpecificCreateProps } from '../../../../../../common/api/detection_engine/model/rule_schema'; import { RuleSignatureId, RuleVersion, BaseCreateProps, - EqlRuleCreateFields, - EsqlRuleCreateFields, - MachineLearningRuleCreateFields, - NewTermsRuleCreateFields, - QueryRuleCreateFields, - SavedQueryRuleCreateFields, - ThreatMatchRuleCreateFields, - ThresholdRuleCreateFields, + TypeSpecificCreatePropsInternal, } from '../../../../../../common/api/detection_engine/model/rule_schema'; function zodMaskFor() { @@ -38,6 +29,7 @@ function zodMaskFor() { */ const BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET = zodMaskFor()([ 'actions', + 'response_actions', 'throttle', 'meta', 'output_index', @@ -47,40 +39,6 @@ const BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET = zodMaskFor( 'outcome', ]); -/** - * Aditionally remove fields which are part only of the optional fields in the rule types that make up - * the TypeSpecificCreateProps discriminatedUnion, by recreating a discriminated union of the types, but - * with the necessary fields omitted, in the types where they exist. Fields to extract: - * - response_actions: from Query and SavedQuery rules - */ -const TYPE_SPECIFIC_FIELDS_TO_OMIT = ['response_actions'] as const; - -const TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES = zodMaskFor()([ - ...TYPE_SPECIFIC_FIELDS_TO_OMIT, -]); -const TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_SAVED_QUERY_RULES = - zodMaskFor()([...TYPE_SPECIFIC_FIELDS_TO_OMIT]); - -export type TypeSpecificFields = z.infer; -export const TypeSpecificFields = z.discriminatedUnion('type', [ - EqlRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES), - QueryRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES), - SavedQueryRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_SAVED_QUERY_RULES), - ThresholdRuleCreateFields, - ThreatMatchRuleCreateFields, - MachineLearningRuleCreateFields, - NewTermsRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES), - EsqlRuleCreateFields.omit(TYPE_SPECIFIC_FIELDS_TO_OMIT_FROM_QUERY_RULES), -]); - -// Make sure the type-specific fields contain all the same rule types as the type-specific rule params. -// TS will throw a type error if the types are not equal (for example, if a new rule type is added to -// the TypeSpecificCreateProps and the new type is not reflected in TypeSpecificFields). -export const areTypesEqual: IsEqual< - typeof TypeSpecificCreateProps._type.type, - typeof TypeSpecificFields._type.type -> = true; - export const PrebuiltAssetBaseProps = BaseCreateProps.omit( BASE_PROPS_REMOVED_FROM_PREBUILT_RULE_ASSET ); @@ -101,7 +59,7 @@ export const PrebuiltAssetBaseProps = BaseCreateProps.omit( * - some fields are omitted because they are not present in https://github.com/elastic/detection-rules */ export type PrebuiltRuleAsset = z.infer; -export const PrebuiltRuleAsset = PrebuiltAssetBaseProps.and(TypeSpecificFields).and( +export const PrebuiltRuleAsset = PrebuiltAssetBaseProps.and(TypeSpecificCreatePropsInternal).and( z.object({ rule_id: RuleSignatureId, version: RuleVersion, @@ -112,7 +70,7 @@ function createUpgradableRuleFieldsPayloadByType() { const baseFields = Object.keys(PrebuiltAssetBaseProps.shape); return new Map( - TypeSpecificFields.options.map((option) => { + TypeSpecificCreatePropsInternal.options.map((option) => { const typeName = option.shape.type.value; const typeSpecificFieldsForType = Object.keys(option.shape); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts index f86abd4f08d8d..38e40ab67611f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/common_params_camel_to_snake.ts @@ -6,6 +6,7 @@ */ import snakecaseKeys from 'snakecase-keys'; +import { transformAlertToRuleResponseAction } from '../../../../../../../common/detection_engine/transform_actions'; import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters'; import type { BaseRuleParams } from '../../../../rule_schema'; import { migrateLegacyInvestigationFields } from '../../../utils/utils'; @@ -44,6 +45,7 @@ export const commonParamsCamelToSnake = (params: BaseRuleParams) => { rule_source: convertObjectKeysToSnakeCase(params.ruleSource), related_integrations: params.relatedIntegrations ?? [], required_fields: params.requiredFields ?? [], + response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), setup: params.setup ?? '', }; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts index 2348c11027c65..0c2edf5535f35 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/convert_rule_response_to_alerting_rule.ts @@ -53,6 +53,9 @@ export const convertRuleResponseToAlertingRule = ( const alertActions = ruleActions?.map((action) => transformRuleToAlertAction(action)) ?? []; const actions = transformToActionFrequency(alertActions as RuleActionCamel[], rule.throttle); + const responseActions = rule.response_actions?.map((ruleResponseAction) => + transformRuleToAlertResponseAction(ruleResponseAction) + ); // Because of Omit Typescript doesn't recognize // that rule is assignable to TypeSpecificCreateProps despite omitted fields // are not part of type specific props. So we need to cast here. @@ -94,6 +97,7 @@ export const convertRuleResponseToAlertingRule = ( note: rule.note, version: rule.version, exceptionsList: rule.exceptions_list, + responseActions, ...typeSpecificParams, }, schedule: { interval: rule.interval }, @@ -119,9 +123,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific eventCategoryOverride: params.event_category_override, tiebreakerField: params.tiebreaker_field, alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression), - responseActions: params.response_actions?.map((rule) => - transformRuleToAlertResponseAction(rule) - ), }; } case 'esql': { @@ -130,9 +131,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific language: params.language, query: params.query, alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression), - responseActions: params.response_actions?.map((rule) => - transformRuleToAlertResponseAction(rule) - ), }; } case 'threat_match': { @@ -164,9 +162,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific query: params.query ?? '', filters: params.filters, savedId: params.saved_id, - responseActions: params.response_actions?.map((rule) => - transformRuleToAlertResponseAction(rule) - ), alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression), }; } @@ -216,9 +211,6 @@ const typeSpecificSnakeToCamel = (params: TypeSpecificCreateProps): TypeSpecific language: params.language ?? 'kuery', dataViewId: params.data_view_id, alertSuppression: convertObjectKeysToCamelCase(params.alert_suppression), - responseActions: params.response_actions?.map((rule) => - transformRuleToAlertResponseAction(rule) - ), }; } default: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/type_specific_camel_to_snake.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/type_specific_camel_to_snake.ts index a4b74e31ba291..5a2f7ba0d3548 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/type_specific_camel_to_snake.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/converters/type_specific_camel_to_snake.ts @@ -6,7 +6,6 @@ */ import type { RequiredOptional } from '@kbn/zod-helpers'; -import { transformAlertToRuleResponseAction } from '../../../../../../../common/detection_engine/transform_actions'; import type { TypeSpecificResponse } from '../../../../../../../common/api/detection_engine/model/rule_schema'; import { assertUnreachable } from '../../../../../../../common/utility_types'; import { convertObjectKeysToSnakeCase } from '../../../../../../utils/object_case_converters'; @@ -28,7 +27,6 @@ export const typeSpecificCamelToSnake = ( event_category_override: params.eventCategoryOverride, tiebreaker_field: params.tiebreakerField, alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression), - response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), }; } case 'esql': { @@ -37,7 +35,6 @@ export const typeSpecificCamelToSnake = ( language: params.language, query: params.query, alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression), - response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), }; } case 'threat_match': { @@ -69,7 +66,6 @@ export const typeSpecificCamelToSnake = ( query: params.query, filters: params.filters, saved_id: params.savedId, - response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression), }; } @@ -82,7 +78,6 @@ export const typeSpecificCamelToSnake = ( filters: params.filters, saved_id: params.savedId, data_view_id: params.dataViewId, - response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression), }; } @@ -120,7 +115,6 @@ export const typeSpecificCamelToSnake = ( language: params.language, data_view_id: params.dataViewId, alert_suppression: convertObjectKeysToSnakeCase(params.alertSuppression), - response_actions: params.responseActions?.map(transformAlertToRuleResponseAction), }; } default: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_defaults.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_defaults.ts index 388b1ab695269..40f0b3eca3b98 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_defaults.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_defaults.ts @@ -86,7 +86,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => { event_category_override: props.event_category_override, tiebreaker_field: props.tiebreaker_field, alert_suppression: props.alert_suppression, - response_actions: props.response_actions, }; } case 'esql': { @@ -95,7 +94,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => { language: props.language, query: props.query, alert_suppression: props.alert_suppression, - response_actions: props.response_actions, }; } case 'threat_match': { @@ -127,7 +125,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => { query: props.query ?? '', filters: props.filters, saved_id: props.saved_id, - response_actions: props.response_actions, alert_suppression: props.alert_suppression, }; } @@ -140,7 +137,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => { filters: props.filters, saved_id: props.saved_id, data_view_id: props.data_view_id, - response_actions: props.response_actions, alert_suppression: props.alert_suppression, }; } @@ -178,7 +174,6 @@ export const setTypeSpecificDefaults = (props: TypeSpecificCreateProps) => { language: props.language ?? 'kuery', data_view_id: props.data_view_id, alert_suppression: props.alert_suppression, - response_actions: props.response_actions, }; } default: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts index d864170746ed3..ba21037ba376f 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/logic/detection_rules_client/mergers/apply_rule_patch.ts @@ -111,6 +111,7 @@ export const applyRulePatch = async ({ interval: rulePatch.interval ?? existingRule.interval, throttle: rulePatch.throttle ?? existingRule.throttle, actions: rulePatch.actions ?? existingRule.actions, + response_actions: rulePatch.response_actions ?? existingRule.response_actions, ...typeSpecificParams, }; @@ -138,7 +139,6 @@ const patchEqlParams = ( rulePatch.event_category_override ?? existingRule.event_category_override, tiebreaker_field: rulePatch.tiebreaker_field ?? existingRule.tiebreaker_field, alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression, - response_actions: rulePatch.response_actions ?? existingRule.response_actions, }; }; @@ -151,7 +151,6 @@ const patchEsqlParams = ( language: rulePatch.language ?? existingRule.language, query: rulePatch.query ?? existingRule.query, alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression, - response_actions: rulePatch.response_actions ?? existingRule.response_actions, }; }; @@ -191,7 +190,6 @@ const patchQueryParams = ( query: rulePatch.query ?? existingRule.query, filters: rulePatch.filters ?? existingRule.filters, saved_id: rulePatch.saved_id ?? existingRule.saved_id, - response_actions: rulePatch.response_actions ?? existingRule.response_actions, alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression, }; }; @@ -208,7 +206,6 @@ const patchSavedQueryParams = ( query: rulePatch.query ?? existingRule.query, filters: rulePatch.filters ?? existingRule.filters, saved_id: rulePatch.saved_id ?? existingRule.saved_id, - response_actions: rulePatch.response_actions ?? existingRule.response_actions, alert_suppression: rulePatch.alert_suppression ?? existingRule.alert_suppression, }; }; @@ -260,7 +257,6 @@ const patchNewTermsParams = ( new_terms_fields: params.new_terms_fields ?? existingRule.new_terms_fields, history_window_start: params.history_window_start ?? existingRule.history_window_start, alert_suppression: params.alert_suppression ?? existingRule.alert_suppression, - response_actions: params.response_actions ?? existingRule.response_actions, }; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/utils/validate.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/utils/validate.ts index 96aaef64b57c9..3d07f935deb7b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/utils/validate.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_management/utils/validate.ts @@ -6,15 +6,9 @@ */ import type { PartialRule } from '@kbn/alerting-plugin/server'; -import type { Rule } from '@kbn/alerting-plugin/common'; import { isEqual, xorWith } from 'lodash'; import { stringifyZodError } from '@kbn/zod-helpers'; -import type { - EqlRule, - EsqlRule, - NewTermsRule, - QueryRule, -} from '../../../../../common/api/detection_engine'; +import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils'; import { type ResponseAction, type RuleCreateProps, @@ -26,16 +20,9 @@ import { RESPONSE_ACTION_API_COMMAND_TO_CONSOLE_COMMAND_MAP, RESPONSE_CONSOLE_ACTION_COMMANDS_TO_REQUIRED_AUTHZ, } from '../../../../../common/endpoint/service/response_actions/constants'; -import { shouldShowResponseActions } from '../../../../../common/detection_engine/utils'; import type { SecuritySolutionApiRequestHandlerContext } from '../../../..'; import { CustomHttpRequestError } from '../../../../utils/custom_http_request_error'; -import type { EqlRuleParams, EsqlRuleParams, NewTermsRuleParams } from '../../rule_schema'; -import { - hasValidRuleType, - type RuleAlertType, - type RuleParams, - type UnifiedQueryRuleParams, -} from '../../rule_schema'; +import { hasValidRuleType, type RuleAlertType, type RuleParams } from '../../rule_schema'; import { type BulkError, createBulkErrorObject } from '../../routes/utils'; import { internalRuleToAPIResponse } from '../logic/detection_rules_client/converters/internal_rule_to_api_response'; @@ -70,7 +57,13 @@ export const validateResponseActionsPermissions = async ( ruleUpdate: RuleCreateProps | RuleUpdateProps, existingRule?: RuleAlertType | null ): Promise => { - if (!shouldShowResponseActions(ruleUpdate.type)) { + const { experimentalFeatures } = await securitySolution.getConfig(); + if ( + !shouldShowResponseActions( + ruleUpdate.type, + experimentalFeatures.automatedResponseActionsForAllRulesEnabled + ) + ) { return; } @@ -117,14 +110,10 @@ export const validateResponseActionsPermissions = async ( }); }; -function rulePayloadContainsResponseActions( - rule: RuleCreateProps | RuleUpdateProps -): rule is QueryRule | EsqlRule | EqlRule | NewTermsRule { +function rulePayloadContainsResponseActions(rule: RuleCreateProps | RuleUpdateProps) { return 'response_actions' in rule; } -function ruleObjectContainsResponseActions( - rule?: RuleAlertType -): rule is Rule { +function ruleObjectContainsResponseActions(rule?: RuleAlertType) { return rule != null && 'params' in rule && 'responseActions' in rule?.params; } diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.ts index b4f4689fed0ff..f3d9b42d24213 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_response_actions/schedule_notification_response_actions.ts @@ -32,6 +32,9 @@ export const getScheduleNotificationResponseActionsService = const nestedAlerts = signals.map((signal) => expandDottedObject(signal as object)) as Alert[]; const alerts = nestedAlerts.filter((alert) => alert.agent?.id) as AlertWithAgent[]; + if (!alerts.length) { + return; + } return Promise.all( responseActions.map(async (responseAction) => { if ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts index e651ffeebaf49..c1192e9a75fd1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_schema/model/rule_schemas.ts @@ -148,6 +148,7 @@ export const BaseRuleParams = z.object({ relatedIntegrations: RelatedIntegrationArray.optional(), requiredFields: RequiredFieldArray.optional(), setup: SetupGuide.optional(), + responseActions: z.array(RuleResponseAction).optional(), }); export type EqlSpecificRuleParams = z.infer; @@ -162,7 +163,6 @@ export const EqlSpecificRuleParams = z.object({ timestampField: TimestampField.optional(), tiebreakerField: TiebreakerField.optional(), alertSuppression: AlertSuppressionCamel.optional(), - responseActions: z.array(RuleResponseAction).optional(), }); export type EqlRuleParams = BaseRuleParams & EqlSpecificRuleParams; @@ -174,7 +174,6 @@ export const EsqlSpecificRuleParams = z.object({ language: z.literal('esql'), query: RuleQuery, alertSuppression: AlertSuppressionCamel.optional(), - responseActions: z.array(RuleResponseAction).optional(), }); export type EsqlRuleParams = BaseRuleParams & EsqlSpecificRuleParams; @@ -212,7 +211,6 @@ export const QuerySpecificRuleParams = z.object({ filters: RuleFilterArray.optional(), savedId: SavedQueryId.optional(), dataViewId: DataViewId.optional(), - responseActions: z.array(RuleResponseAction).optional(), alertSuppression: AlertSuppressionCamel.optional(), }); @@ -228,7 +226,6 @@ export const SavedQuerySpecificRuleParams = z.object({ query: RuleQuery.optional(), filters: RuleFilterArray.optional(), savedId: SavedQueryId, - responseActions: z.array(RuleResponseAction).optional(), alertSuppression: AlertSuppressionCamel.optional(), }); @@ -282,7 +279,6 @@ export const NewTermsSpecificRuleParams = z.object({ language: KqlQueryLanguage, dataViewId: DataViewId.optional(), alertSuppression: AlertSuppressionCamel.optional(), - responseActions: z.array(RuleResponseAction).optional(), }); export type NewTermsRuleParams = BaseRuleParams & NewTermsSpecificRuleParams; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts index 9de8641d7b17c..12af1966b7dce 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/create_eql_alert_type.ts @@ -11,19 +11,14 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { EqlRuleParams } from '../../rule_schema'; import { eqlExecutor } from './eql'; -import type { - CreateRuleOptions, - SecurityAlertType, - SignalSourceHit, - CreateRuleAdditionalOptions, -} from '../types'; +import type { CreateRuleOptions, SecurityAlertType, SignalSourceHit } from '../types'; import { validateIndexPatterns } from '../utils'; import type { BuildReasonMessage } from '../utils/reason_formatters'; import { wrapSuppressedAlerts } from '../utils/wrap_suppressed_alerts'; import { getIsAlertSuppressionActive } from '../utils/get_is_alert_suppression_active'; export const createEqlAlertType = ( - createOptions: CreateRuleOptions & CreateRuleAdditionalOptions + createOptions: CreateRuleOptions ): SecurityAlertType => { const { experimentalFeatures, version, licensing, scheduleNotificationResponseActionsService } = createOptions; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts index 47e298392d7d9..cd8b76a93d23b 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/eql/eql.ts @@ -26,7 +26,7 @@ import type { SearchAfterAndBulkCreateReturnType, SignalSource, WrapSuppressedHits, - CreateRuleAdditionalOptions, + CreateRuleOptions, } from '../types'; import { addToSearchAfterReturn, @@ -71,7 +71,7 @@ interface EqlExecutorParams { isAlertSuppressionActive: boolean; experimentalFeatures: ExperimentalFeatures; state?: Record; - scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService']; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; } export const eqlExecutor = async ({ @@ -104,7 +104,6 @@ export const eqlExecutor = async ({ const isLoggedRequestsEnabled = state?.isLoggedRequestsEnabled ?? false; const loggedRequests: RulePreviewLoggedRequest[] = []; - // eslint-disable-next-line complexity return withSecuritySpan('eqlExecutor', async () => { const result = createSearchAfterReturnType(); @@ -213,13 +212,11 @@ export const eqlExecutor = async ({ result.warningMessages.push(maxSignalsWarning); } - if (scheduleNotificationResponseActionsService) { - scheduleNotificationResponseActionsService({ - signals: result.createdSignals, - signalsCount: result.createdSignalsCount, - responseActions: completeRule.ruleParams.responseActions, - }); - } + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); return { result, ...(isLoggedRequestsEnabled ? { loggedRequests } : {}) }; } catch (error) { if ( diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/create_esql_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/create_esql_alert_type.ts index 31afe8d2a191f..043b8e3b3a851 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/create_esql_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/create_esql_alert_type.ts @@ -11,10 +11,10 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { EsqlRuleParams } from '../../rule_schema'; import { esqlExecutor } from './esql'; -import type { CreateRuleOptions, SecurityAlertType, CreateRuleAdditionalOptions } from '../types'; +import type { CreateRuleOptions, SecurityAlertType } from '../types'; export const createEsqlAlertType = ( - createOptions: CreateRuleOptions & CreateRuleAdditionalOptions + createOptions: CreateRuleOptions ): SecurityAlertType => { const { version, experimentalFeatures, licensing, scheduleNotificationResponseActionsService } = createOptions; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts index 1e5b1749e94f5..a076ea0c62635 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/esql/esql.ts @@ -28,7 +28,7 @@ import { rowToDocument } from './utils'; import { fetchSourceDocuments } from './fetch_source_documents'; import { buildReasonMessageForEsqlAlert } from '../utils/reason_formatters'; import type { RulePreviewLoggedRequest } from '../../../../../common/api/detection_engine/rule_preview/rule_preview.gen'; -import type { RunOpts, SignalSource, CreateRuleAdditionalOptions } from '../types'; +import type { CreateRuleOptions, RunOpts, SignalSource } from '../types'; import { logEsqlRequest } from '../utils/logged_requests'; import * as i18n from '../translations'; @@ -74,7 +74,7 @@ export const esqlExecutor = async ({ version: string; experimentalFeatures: ExperimentalFeatures; licensing: LicensingPluginSetup; - scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService']; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; }) => { const loggedRequests: RulePreviewLoggedRequest[] = []; const ruleParams = completeRule.ruleParams; @@ -245,13 +245,11 @@ export const esqlExecutor = async ({ } } - if (scheduleNotificationResponseActionsService) { - scheduleNotificationResponseActionsService({ - signals: result.createdSignals, - signalsCount: result.createdSignalsCount, - responseActions: completeRule.ruleParams.responseActions, - }); - } + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); // no more results will be found if (response.values.length < size) { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts index d7f3e96d9a43d..9c51d22d31ee1 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/create_indicator_match_alert_type.ts @@ -20,7 +20,13 @@ import type { BuildReasonMessage } from '../utils/reason_formatters'; export const createIndicatorMatchAlertType = ( createOptions: CreateRuleOptions ): SecurityAlertType => { - const { eventsTelemetry, version, licensing, experimentalFeatures } = createOptions; + const { + eventsTelemetry, + version, + licensing, + experimentalFeatures, + scheduleNotificationResponseActionsService, + } = createOptions; return { id: INDICATOR_RULE_TYPE_ID, name: 'Indicator Match Rule', @@ -122,6 +128,7 @@ export const createIndicatorMatchAlertType = ( runOpts, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }); return { ...result, state }; }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/indicator_match.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/indicator_match.ts index b8392a82bb6c0..d243943b9417c 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/indicator_match.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/indicator_match.ts @@ -16,7 +16,14 @@ import type { } from '@kbn/alerting-plugin/server'; import type { ListClient } from '@kbn/lists-plugin/server'; import type { Filter } from '@kbn/es-query'; -import type { RuleRangeTuple, BulkCreate, WrapHits, WrapSuppressedHits, RunOpts } from '../types'; +import type { + RuleRangeTuple, + BulkCreate, + WrapHits, + WrapSuppressedHits, + RunOpts, + CreateRuleOptions, +} from '../types'; import type { ITelemetryEventsSender } from '../../../telemetry/sender'; import { createThreatSignals } from './threat_mapping/create_threat_signals'; import type { CompleteRule, ThreatRuleParams } from '../../rule_schema'; @@ -47,6 +54,7 @@ export const indicatorMatchExecutor = async ({ runOpts, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }: { inputIndex: string[]; runtimeMappings: estypes.MappingRuntimeFields | undefined; @@ -67,6 +75,7 @@ export const indicatorMatchExecutor = async ({ wrapSuppressedHits: WrapSuppressedHits; runOpts: RunOpts; licensing: LicensingPluginSetup; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; experimentalFeatures: ExperimentalFeatures; }) => { const ruleParams = completeRule.ruleParams; @@ -107,6 +116,7 @@ export const indicatorMatchExecutor = async ({ runOpts, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }); }); }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/create_threat_signals.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/create_threat_signals.ts index 4d477d53604a4..f05914201ad09 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/create_threat_signals.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/create_threat_signals.ts @@ -74,6 +74,7 @@ export const createThreatSignals = async ({ unprocessedExceptions, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }: CreateThreatSignalsOptions): Promise => { const threatMatchedFields = getMatchedFields(threatMapping); const threatFieldsLength = threatMatchedFields.threat.length; @@ -460,7 +461,11 @@ export const createThreatSignals = async ({ `Error trying to close point in time: "${threatPitId}", it will expire within "${THREAT_PIT_KEEP_ALIVE}". Error is: "${error}"` ); } - + scheduleNotificationResponseActionsService({ + signals: results.createdSignals, + signalsCount: results.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); ruleExecutionLogger.debug('Indicator matching rule has completed'); return results; }; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/types.ts index 37bc9d1810137..4eac8bd6a8864 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/indicator_match/threat_mapping/types.ts @@ -38,6 +38,7 @@ import type { WrapSuppressedHits, OverrideBodyQuery, RunOpts, + CreateRuleOptions, } from '../../types'; import type { CompleteRule, ThreatRuleParams } from '../../../rule_schema'; import type { IRuleExecutionLogForExecutors } from '../../../rule_monitoring'; @@ -80,6 +81,7 @@ export interface CreateThreatSignalsOptions { runOpts: RunOpts; licensing: LicensingPluginSetup; experimentalFeatures: ExperimentalFeatures; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; } export interface CreateThreatSignalOptions { @@ -172,6 +174,7 @@ export interface CreateEventSignalOptions { } type EntryKey = 'field' | 'value'; + export interface BuildThreatMappingFilterOptions { chunkSize?: number; threatList: ThreatListItem[]; @@ -273,6 +276,7 @@ interface BaseThreatNamedQuery { value: string; queryType: string; } + export interface ThreatMatchNamedQuery extends BaseThreatNamedQuery { id: string; index: string; @@ -325,6 +329,7 @@ export interface EventDoc { } export type EventItem = estypes.SearchHit; + export interface EventCountOptions { esClient: ElasticsearchClient; index: string[]; diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts index 09a4a2e4cb1ee..4d896c4efdaa4 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/create_ml_alert_type.ts @@ -19,7 +19,8 @@ import { wrapSuppressedAlerts } from '../utils/wrap_suppressed_alerts'; export const createMlAlertType = ( createOptions: CreateRuleOptions ): SecurityAlertType => { - const { experimentalFeatures, ml, licensing } = createOptions; + const { experimentalFeatures, ml, licensing, scheduleNotificationResponseActionsService } = + createOptions; return { id: ML_RULE_TYPE_ID, name: 'Machine Learning Rule', @@ -106,6 +107,7 @@ export const createMlAlertType = ( alertWithSuppression, isAlertSuppressionActive, experimentalFeatures, + scheduleNotificationResponseActionsService, }); return { ...result, state }; }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts index 59a0204ef9545..2a3fa8360e3f8 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.test.ts @@ -23,6 +23,7 @@ jest.mock('./bulk_create_ml_signals'); describe('ml_executor', () => { let mockExperimentalFeatures: jest.Mocked; + let mockScheduledNotificationResponseAction: jest.Mock; let jobsSummaryMock: jest.Mock; let forceStartDatafeedsMock: jest.Mock; let stopDatafeedsMock: jest.Mock; @@ -40,6 +41,7 @@ describe('ml_executor', () => { beforeEach(() => { mockExperimentalFeatures = {} as jest.Mocked; + mockScheduledNotificationResponseAction = jest.fn(); jobsSummaryMock = jest.fn(); mlMock = mlPluginServerMock.createSetupContract(); mlMock.jobServiceProvider.mockReturnValue({ @@ -88,6 +90,7 @@ describe('ml_executor', () => { alertWithSuppression: jest.fn(), isAlertSuppressionActive: true, experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }) ).rejects.toThrow('ML plugin unavailable during rule execution'); }); @@ -110,6 +113,7 @@ describe('ml_executor', () => { alertWithSuppression: jest.fn(), isAlertSuppressionActive: true, experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(ruleExecutionLogger.warn).toHaveBeenCalled(); expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain( @@ -143,6 +147,7 @@ describe('ml_executor', () => { alertWithSuppression: jest.fn(), isAlertSuppressionActive: true, experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(ruleExecutionLogger.warn).toHaveBeenCalled(); expect(ruleExecutionLogger.warn.mock.calls[0][0]).toContain( @@ -172,6 +177,7 @@ describe('ml_executor', () => { alertWithSuppression: jest.fn(), isAlertSuppressionActive: true, experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(result.userError).toEqual(true); expect(result.success).toEqual(false); @@ -204,6 +210,7 @@ describe('ml_executor', () => { alertWithSuppression: jest.fn(), isAlertSuppressionActive: true, experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(result).toEqual( @@ -212,4 +219,29 @@ describe('ml_executor', () => { }) ); }); + it('should call scheduleNotificationResponseActionsService', async () => { + const result = await mlExecutor({ + completeRule: mlCompleteRule, + tuple, + ml: mlMock, + services: alertServices, + ruleExecutionLogger, + listClient, + bulkCreate: jest.fn(), + wrapHits: jest.fn(), + exceptionFilter: undefined, + unprocessedExceptions: [], + wrapSuppressedHits: jest.fn(), + alertTimestampOverride: undefined, + alertWithSuppression: jest.fn(), + isAlertSuppressionActive: true, + experimentalFeatures: mockExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, + }); + expect(mockScheduledNotificationResponseAction).toBeCalledWith({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: mlCompleteRule.ruleParams.responseActions, + }); + }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts index 4b7de9b27a667..1da14640c5a51 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/ml/ml.ts @@ -23,7 +23,13 @@ import type { CompleteRule, MachineLearningRuleParams } from '../../rule_schema' import { bulkCreateMlSignals } from './bulk_create_ml_signals'; import { filterEventsAgainstList } from '../utils/large_list_filters/filter_events_against_list'; import { findMlSignals } from './find_ml_signals'; -import type { BulkCreate, RuleRangeTuple, WrapHits, WrapSuppressedHits } from '../types'; +import type { + BulkCreate, + CreateRuleOptions, + RuleRangeTuple, + WrapHits, + WrapSuppressedHits, +} from '../types'; import { addToSearchAfterReturn, createErrorsFromShard, @@ -54,6 +60,7 @@ interface MachineLearningRuleExecutorParams { alertWithSuppression: SuppressedAlertService; isAlertSuppressionActive: boolean; experimentalFeatures: ExperimentalFeatures; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; } export const mlExecutor = async ({ @@ -72,6 +79,7 @@ export const mlExecutor = async ({ alertTimestampOverride, alertWithSuppression, experimentalFeatures, + scheduleNotificationResponseActionsService, }: MachineLearningRuleExecutorParams) => { const result = createSearchAfterReturnType(); const ruleParams = completeRule.ruleParams; @@ -191,6 +199,11 @@ export const mlExecutor = async ({ const searchErrors = createErrorsFromShard({ errors: shardFailures, }); + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); return mergeReturns([ result, createSearchAfterReturnType({ diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts index fc0c4b31426df..6b50f0fe0505e 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/new_terms/create_new_terms_alert_type.ts @@ -12,7 +12,7 @@ import { DEFAULT_APP_CATEGORIES } from '@kbn/core-application-common'; import { SERVER_APP_ID } from '../../../../../common/constants'; import { NewTermsRuleParams } from '../../rule_schema'; -import type { CreateRuleOptions, SecurityAlertType, CreateRuleAdditionalOptions } from '../types'; +import type { CreateRuleOptions, SecurityAlertType } from '../types'; import { singleSearchAfter } from '../utils/single_search_after'; import { getFilter } from '../utils/get_filter'; import { wrapNewTermsAlerts } from './wrap_new_terms_alerts'; @@ -46,7 +46,7 @@ import { multiTermsComposite } from './multi_terms_composite'; import type { GenericBulkCreateResponse } from '../utils/bulk_create_with_suppression'; export const createNewTermsAlertType = ( - createOptions: CreateRuleOptions & CreateRuleAdditionalOptions + createOptions: CreateRuleOptions ): SecurityAlertType => { const { logger, licensing, experimentalFeatures, scheduleNotificationResponseActionsService } = createOptions; @@ -415,13 +415,11 @@ export const createNewTermsAlertType = ( afterKey = searchResultWithAggs.aggregations.new_terms.after_key; } - if (scheduleNotificationResponseActionsService) { - scheduleNotificationResponseActionsService({ - signals: result.createdSignals, - signalsCount: result.createdSignalsCount, - responseActions: completeRule.ruleParams.responseActions, - }); - } + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); return { ...result, state }; }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/query.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/query.ts index edf7ece7cc84b..8c235c5e8f238 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/query.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/query/query.ts @@ -22,7 +22,7 @@ import type { UnifiedQueryRuleParams } from '../../rule_schema'; import type { ExperimentalFeatures } from '../../../../../common/experimental_features'; import { buildReasonMessageForQueryAlert } from '../utils/reason_formatters'; import { withSecuritySpan } from '../../../../utils/with_security_span'; -import type { CreateRuleAdditionalOptions, RunOpts } from '../types'; +import type { CreateRuleOptions, RunOpts } from '../types'; export const queryExecutor = async ({ runOpts, @@ -42,7 +42,7 @@ export const queryExecutor = async ({ version: string; spaceId: string; bucketHistory?: BucketHistory[]; - scheduleNotificationResponseActionsService: CreateRuleAdditionalOptions['scheduleNotificationResponseActionsService']; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; licensing: LicensingPluginSetup; }) => { const completeRule = runOpts.completeRule; @@ -98,13 +98,11 @@ export const queryExecutor = async ({ state: {}, }; - if (scheduleNotificationResponseActionsService) { - scheduleNotificationResponseActionsService({ - signals: result.createdSignals, - signalsCount: result.createdSignalsCount, - responseActions: completeRule.ruleParams.responseActions, - }); - } + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); return result; }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts index f48cea676b953..a890315aa2688 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/create_threshold_alert_type.ts @@ -19,7 +19,8 @@ import { validateIndexPatterns } from '../utils'; export const createThresholdAlertType = ( createOptions: CreateRuleOptions ): SecurityAlertType => { - const { version, licensing, experimentalFeatures } = createOptions; + const { version, licensing, experimentalFeatures, scheduleNotificationResponseActionsService } = + createOptions; return { id: THRESHOLD_RULE_TYPE_ID, name: 'Threshold Rule', @@ -102,6 +103,7 @@ export const createThresholdAlertType = ( runOpts: execOptions.runOpts, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }); return result; }, diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts index 8c790596b99ba..de4af3354794d 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.test.ts @@ -27,7 +27,7 @@ jest.mock('../utils/get_filter', () => ({ getFilter: jest.fn() })); describe('threshold_executor', () => { let alertServices: RuleExecutorServicesMock; let ruleExecutionLogger: ReturnType; - + let mockScheduledNotificationResponseAction: jest.Mock; const version = '8.0.0'; const params = getThresholdRuleParams(); const thresholdCompleteRule = getCompleteRuleMock(params); @@ -54,6 +54,7 @@ describe('threshold_executor', () => { ruleName: thresholdCompleteRule.ruleConfig.name, ruleType: thresholdCompleteRule.ruleConfig.ruleTypeId, }); + mockScheduledNotificationResponseAction = jest.fn(); }); describe('thresholdExecutor', () => { @@ -113,6 +114,7 @@ describe('threshold_executor', () => { runOpts: {} as RunOpts, licensing, experimentalFeatures: {} as ExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(response.state).toEqual({ initialized: true, @@ -178,6 +180,7 @@ describe('threshold_executor', () => { runOpts: {} as RunOpts, licensing, experimentalFeatures: {} as ExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, }); expect(result.warningMessages).toEqual([ `The following exceptions won't be applied to rule execution: ${ @@ -185,5 +188,46 @@ describe('threshold_executor', () => { }`, ]); }); + it('should call scheduleNotificationResponseActionsService', async () => { + const ruleDataClientMock = createRuleDataClientMock(); + const state = { + initialized: true, + signalHistory: {}, + }; + const result = await thresholdExecutor({ + completeRule: thresholdCompleteRule, + tuple, + services: alertServices, + state, + version, + ruleExecutionLogger, + startedAt: new Date(), + bulkCreate: jest.fn().mockImplementation((hits) => ({ + errors: [], + success: true, + bulkCreateDuration: '0', + createdItemsCount: 0, + createdItems: [], + })), + wrapHits: jest.fn(), + ruleDataClient: ruleDataClientMock, + runtimeMappings: {}, + inputIndex: ['auditbeat-*'], + primaryTimestamp: TIMESTAMP, + aggregatableTimestampField: TIMESTAMP, + exceptionFilter: undefined, + unprocessedExceptions: [getExceptionListItemSchemaMock()], + spaceId: 'default', + runOpts: {} as RunOpts, + licensing, + experimentalFeatures: {} as ExperimentalFeatures, + scheduleNotificationResponseActionsService: mockScheduledNotificationResponseAction, + }); + expect(mockScheduledNotificationResponseAction).toBeCalledWith({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: thresholdCompleteRule.ruleParams.responseActions, + }); + }); }); }); diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts index 06a0ff89ccc40..d56e164438509 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/threshold/threshold.ts @@ -33,6 +33,7 @@ import type { SearchAfterAndBulkCreateReturnType, WrapHits, RunOpts, + CreateRuleOptions, } from '../types'; import type { ThresholdAlertState, ThresholdSignalHistory } from './types'; import { @@ -68,6 +69,7 @@ export const thresholdExecutor = async ({ runOpts, licensing, experimentalFeatures, + scheduleNotificationResponseActionsService, }: { inputIndex: string[]; runtimeMappings: estypes.MappingRuntimeFields | undefined; @@ -90,6 +92,7 @@ export const thresholdExecutor = async ({ runOpts: RunOpts; licensing: LicensingPluginSetup; experimentalFeatures: ExperimentalFeatures; + scheduleNotificationResponseActionsService: CreateRuleOptions['scheduleNotificationResponseActionsService']; }): Promise => { const result = createSearchAfterReturnType(); const ruleParams = completeRule.ruleParams; @@ -209,7 +212,11 @@ export const thresholdExecutor = async ({ result.errors.push(...searchErrors); result.warningMessages.push(...warnings); result.searchAfterTimes = searchDurations; - + scheduleNotificationResponseActionsService({ + signals: result.createdSignals, + signalsCount: result.createdSignalsCount, + responseActions: completeRule.ruleParams.responseActions, + }); return { ...result, state: { diff --git a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts index 6e2999ae5e3b2..34307ea495268 100644 --- a/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts +++ b/x-pack/plugins/security_solution/server/lib/detection_engine/rule_types/types.ts @@ -163,6 +163,7 @@ export interface CreateRuleOptions { eventsTelemetry?: ITelemetryEventsSender | undefined; version: string; licensing: LicensingPluginSetup; + scheduleNotificationResponseActionsService: (params: ScheduleNotificationActions) => void; } export interface ScheduleNotificationActions { @@ -171,11 +172,7 @@ export interface ScheduleNotificationActions { responseActions: RuleResponseAction[] | undefined; } -export interface CreateRuleAdditionalOptions { - scheduleNotificationResponseActionsService?: (params: ScheduleNotificationActions) => void; -} - -export interface CreateQueryRuleOptions extends CreateRuleOptions, CreateRuleAdditionalOptions { +export interface CreateQueryRuleOptions extends CreateRuleOptions { id: typeof QUERY_RULE_TYPE_ID | typeof SAVED_QUERY_RULE_TYPE_ID; name: 'Custom Query Rule' | 'Saved Query Rule'; } diff --git a/x-pack/plugins/security_solution/server/plugin.ts b/x-pack/plugins/security_solution/server/plugin.ts index ab4a213862a5b..623eaef59afc0 100644 --- a/x-pack/plugins/security_solution/server/plugin.ts +++ b/x-pack/plugins/security_solution/server/plugin.ts @@ -76,10 +76,7 @@ import { PolicyWatcher } from './endpoint/lib/policy/license_watch'; import previewPolicy from './lib/detection_engine/routes/index/preview_policy.json'; import type { IRuleMonitoringService } from './lib/detection_engine/rule_monitoring'; import { createRuleMonitoringService } from './lib/detection_engine/rule_monitoring'; -import type { - CreateRuleAdditionalOptions, - CreateRuleOptions, -} from './lib/detection_engine/rule_types/types'; +import type { CreateRuleOptions } from './lib/detection_engine/rule_types/types'; // eslint-disable-next-line no-restricted-imports import { isLegacyNotificationRuleExecutor, @@ -280,6 +277,10 @@ export class Plugin implements ISecuritySolutionPlugin { eventsTelemetry: this.telemetryEventsSender, version: pluginContext.env.packageInfo.version, licensing: plugins.licensing, + scheduleNotificationResponseActionsService: getScheduleNotificationResponseActionsService({ + endpointAppContextService: this.endpointAppContextService, + osqueryCreateActionService: plugins.osquery.createActionService, + }), }; const ruleDataServiceOptions = { @@ -321,28 +322,18 @@ export class Plugin implements ISecuritySolutionPlugin { analytics: core.analytics, }; - const ruleAdditionalOptions: CreateRuleAdditionalOptions = { - scheduleNotificationResponseActionsService: getScheduleNotificationResponseActionsService({ - endpointAppContextService: this.endpointAppContextService, - osqueryCreateActionService: plugins.osquery.createActionService, - }), - }; - const securityRuleTypeWrapper = createSecurityRuleTypeWrapper(securityRuleTypeOptions); - plugins.alerting.registerType( - securityRuleTypeWrapper(createEqlAlertType({ ...ruleOptions, ...ruleAdditionalOptions })) - ); + plugins.alerting.registerType(securityRuleTypeWrapper(createEqlAlertType({ ...ruleOptions }))); if (!experimentalFeatures.esqlRulesDisabled) { plugins.alerting.registerType( - securityRuleTypeWrapper(createEsqlAlertType({ ...ruleOptions, ...ruleAdditionalOptions })) + securityRuleTypeWrapper(createEsqlAlertType({ ...ruleOptions })) ); } plugins.alerting.registerType( securityRuleTypeWrapper( createQueryAlertType({ ...ruleOptions, - ...ruleAdditionalOptions, id: SAVED_QUERY_RULE_TYPE_ID, name: 'Saved Query Rule', }) @@ -356,7 +347,6 @@ export class Plugin implements ISecuritySolutionPlugin { securityRuleTypeWrapper( createQueryAlertType({ ...ruleOptions, - ...ruleAdditionalOptions, id: QUERY_RULE_TYPE_ID, name: 'Custom Query Rule', }) @@ -364,7 +354,7 @@ export class Plugin implements ISecuritySolutionPlugin { ); plugins.alerting.registerType(securityRuleTypeWrapper(createThresholdAlertType(ruleOptions))); plugins.alerting.registerType( - securityRuleTypeWrapper(createNewTermsAlertType({ ...ruleOptions, ...ruleAdditionalOptions })) + securityRuleTypeWrapper(createNewTermsAlertType({ ...ruleOptions })) ); // TODO We need to get the endpoint routes inside of initRoutes